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A variety of "key recovery" "key escrow," and "trusted third-party" encryption requirements have 
been suggested in recent years by government agencies seeking to conduct covert surveillance 
within the changing environments brought about by new technologies. This report examines the 
fundamental properties of these requirements and attempts to outline the technical risks, costs, and 
implications of deploying systems that provide government access to encryption keys. 
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INTRODUCTION 



One year after the 1997 publication of the first edition of this report, its essential finding remains 
unchanged and substantively unchallenged: The deployment of key recovery systems designed to 
facilitate surreptitious government access to encrypted data and communications introduces 
substantial risks and costs. These risks and costs may not be appropriate for many applications 
of encryption, and they must be more fully addressed as governments consider policies that would 
encourage ubiquitous key recovery. 

Our 1997 "Risks" report was designed to stimulate a public, technical debate and analysis that, in 
our judgment, must precede any responsible policy decision that could result in the wide-scale 
deployment of key recovery systems. While there are numerous and important economic, social, 
and political issues raised by key recovery, the report's analysis was confined to the technical 
problems created by deployment of key recovery systems designed to meet government access 
specifications. As of mid-1998, no substantive response addressing these technical concerns has 
been offered. 

While efforts have been made over the last year to design key recovery systems for commercial 
purposes, they do not alleviate the concerns raised by deployment at the scale and in the manner 
required to meet government demands. The design of secure key recovery systems remains 
technically challenging, and the risks and costs of deploying key recovery systems are poorly 
understood. Most significantly, government demands for access place additional requirements on 
key recovery systems, including covert access, ubiquitous adoption, and rapid access to plaintext. 
There is good reason to believe that these additional requirements amplify the costs and risks of 
key recovery substantially 

I n the past year, the importance of cryptography for protecting computing and communications 
systems has gained broader recognition among the public and within industry Most presently- 
deployed encryption systems support rather than hinder the prevention and detection of crime. 
Encryption helps to protect burglar alarms, cash machines, postal meters, and a variety of vending 
and ticketing systems from manipulation and fraud; it is also being deployed to facilitate electronic 
commerce by protecting credit card transactions on the Net and hindering the unauthorized 
duplication of digital audio and video. However, the deployment of encryption (and other 
information protection mechanisms) is still patchy. Most automatic teller machine transactions 
are protected by encryption, but transactions made by bank staff (which can involve much larger 



amounts of money) are often not protected. Most Internet electronic mail is still sent "in the 
clear" and is vulnerable to interception. Most cellular telephone calls in the U.S. are still sent over 
the air without the benefit of strong encryption. The situation is similar in other areas. 

M embers of the law enforcement and intelligence communities continue to express concern 
about widespread use of unescrowed cryptography At the same time, these communities have 
expressed increasing alarm over the vulnerability of "critical infrastructure." But there is a 
significant risk that widespread insertion of government-access key recovery systems into the 
information infrastructure will exacerbate, not alleviate, the potential for crime and information 
terrorism. Increasing the number of people with authorized access to the critical infrastructure 
and to business data will increase the likelihood of attack, whether through technical means, 
by exploitation of mistakes or through corruption. Furthermore, key recovery requirements, 
to the extent that they make encryption cumbersome or expensive, can have the effect of 
discouraging or delaying the deployment of cryptography in increasingly vulnerable computing 
and communications networks. 

The technical concerns about key recovery and trusted third-party systems in 1998 remain largely 
unchanged from our 1997 analysis. We specifically do not address questions of how and whether 
key recovery might benefit law enforcement and whether there are alternatives to key recovery 
that might achieve equal or greater benefits. However, the predictable costs and risks of key 
recovery, particularly when deployed on the scale desired by law enforcement, are very substantial. 
The onus is on the advocates of key recovery to make the case that the benefits outweigh these 
substantial risks and costs. 

BACKGROUND 

Cryptography policy is a complex area, with scientific, technical, political, social, business, and 
economic dimensions. Our report is focused on the technical and economic aspects of the key 
recovery problem. In particular, we concentrate on the question of whether secure key recovery 
systems that meet government specifications are technically possible, and, if so, what additional 
costs and risks we would expect such systems to entail. 

For the purposes of this report, "key recovery" systems are characterized by the presence of some 
mechanism for obtaining exceptional access to the plaintext of encrypted traffic. Key recovery 
might serve a wide spectrum of access requirements, from a backup mechanism that ensures a 
business' continued access to its own encrypted archive in the event keys are lost, to providing 
covert law enforcement access to wiretapped encrypted telephone conversations. Many of the costs, 
risks, and complexities inherent in the design, implementation, and operation of key recovery 
systems depend on the access requirements around which the system is designed. 
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We focus specifically on key recovery systems designed to meet government access specifications. 
These specifications diverge in important ways from the needs of commercial or individual 
encryption users: 

1. Access without end-user knowledge or consent- Few commercial users need (or 
want) covert mechanisms to recover keys or plaintext data they protect. On the contrary business 
access rules are usually well known, and audit is a very important safeguard against fraud and 
error. Government specifications require mechanisms that circumvent this important security 
practice. 

2. Ubiquitous adoption - Government seeks the use of key recovery for all encryption, 
regardless of whether there is benefit to the end-user or whether it makes sense in context. I n 
fact, there is little or no demand for key recovery for many applications and users. For example, 
the commercial demand for recovery of encrypted communications is extremely limited, and the 
design and analysis of key recovery for certain kinds of communications protocols is especially 
difficult. 

3. Fast paths to plaintext - Law enforcement demands fast ( near real-time) , 2 4- hour- a- day, 
365-day-a-year access to plaintext, making it impossible to employ the full range of safeguards 
that could ameliorate some of the risks inherent in commercial key recovery systems. 

These special demands significantly increase the risks and costs identified in this report. While key 
recovery systems designed to meet commercial needs also have associated costs and risks, we 
address most of our attention to the effects caused by the special demands - rapid, covert access 
to all encrypted data - of government-access systems. 

CRITIQUES OF THE 1997 REPORT 

As noted above, there has been no published substantive response to the concerns we raised in 
our 1997 report. The few critiques of which we are aware avoid addressing the issues in any 
technical depth, and they mischaracterize our findings: 

1. "The report assumes a single, massive, centralized infrastructure" - Although some key 
recovery proposals are centralized, our report examined key recovery generally whether it takes 
the form of a single government-controlled infrastructure or many decentralized, private sector 
systems. The risks and costs identified arise chiefly from the functional requirements of key 
recovery ( and especially on the scale sought by government) , not from the manner in which 
these requirements are implemented. 



2. "The report claims key recovery is impractical, but in fact industry notably members of the Key 
Recovery Alliance ( KRA) , is already developing key recovery products" - While some companies 
are developing key recovery products, it is not at all clear that these products will achieve the 
ubiquitous scale envisioned by government. Many of these systems address narrow applications, 
where added risks and costs may be appropriate, or are at least easier to measure and weigh 
against end-user benefits. 

3. "Key recovery's benefits outweigh its costs" - Key recovery may have benefits for some users 
and for government. Ultimately, weighing these benefits and costs is an exercise for the market- 
place and policymakers, and is outside the scope of this report. In this report we have merely 
tried to explain why the costs will be substantial. 

KEY RECOVERY IN 1998 

As of mid-1998 we have seen a wide range of government, industry, and academic efforts 
toward specifying, prototyping, and standardizing key recovery systems that meet government 
specifications. Some of industry's efforts were stimulated by U.S. government policies that offer 
more favorable export treatment to companies that commit to designing key recovery features into 
future products, and by U.K. government moves to link the licensing of certification authorities to 
the use of key recovery software. 

Yet despite these incentives, and the intense interest and effort by research and development 
teams, neither industry nor government has yet produced a key recovery architecture that 
universally satisfies both the demands of government and the security and cost requirements 
of encryption users. 

The commercial key recovery products in existence today do not reconcile the conflict between 
commercial requirements and government specifications. In the absence of government pressure, 
commercial key recovery features are by their nature of interest primarily to business operations 
willing to pay a significant premium to ensure continued access to stored data maintained only 
in encrypted form. Even within enterprises that do require key recovery products, many of the 
applications of encryption ( such as communication traffic) are known in advance not to require 
recoverability and therefore would not be designed to use a key recovery system. 

Another problem is that the most secure and economical commercial key recovery systems do 
not support the real-time, third-party, covert access sought by governments in order to support 
surveillance. In particular, "self-escrow" by an individual does not meet government access 
demands. The third-party nature and global reach implied by these government demands make 
key recovery systems a much more difficult, expensive, and risky proposition than a facility for 
internal, off-line recovery in a business enterprise. For example, most organizations keep backups 
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in the form of plaintext on magnetic media in physically protected premises. Similarly, organizations 
that keep encrypted data might naturally be best served by storing backup keys in a bank safe 
deposit box. A requirement for near-real-time access would preclude this approach, however 
prudent or appropriate. 

Any access-time requirement carries with it special risks. In particular, some sort of network 
technology will generally be required. Such a network, which must link a large number of 
law enforcement agencies with different key recovery centers, would be extraordinarily 
difficult to secure. 

The current attention in the U.S. on the problem of securing critical infrastructure, such as 
telephone networks, power grids, national banking networks and air traffic control systems, 
underscores the problem of managing risk in key recovery The systems that support critical 
infrastructure, which are increasingly reliant on open networks and information systems, are 
among the most important current and future applications of cryptography The complexity and 
increased risk introduced with key recovery would make critical infrastructure protected by 
cryptography more vulnerable to the kinds of sophisticated attackers that pose the most serious 
threats to these systems. 

I n the 1997 edition of this report, we observed that many of the complexities, risks, and costs 
that make government-access key recovery difficult and expensive to build and operate in a secure 
manner arise from the requirements themselves. They are largely independent of the engineering 
details of particular systems. It is not difficult to design and implement small-scale systems that 
successfully recover keys or plaintext according to some access policy; indeed, many 
organizations already have in place practices that ensure the continued availability of their data. 
The difficulties arise from ensuring that a large-scale system, or system of systems, does not 
inadvertently or maliciously leak data. 

Government specifications for key recovery systems for export approval are focused on the easier 
problem of ensuring that keys are recoverable when authorized. They do not address or give 
techniques for the far harder problem of ensuring against unauthorized disclosure of data. The 
design and construction of prototype key recovery systems that satisfy government specifications 
for export, therefore, are not sufficient to demonstrate that these systems can be operated secure- 
ly, in an economical manner, on a large scale, or without introducing unacceptable new risks. Any 
assessment of a proposed system must take into account a broad range of design, implementation, 
operation, and policy considerations. 

As of mid-1998, we are aware of no key recovery proposals that have undergone analysis of the 
kind required. On the other hand, as our report notes, there are compelling reasons to believe 
that, given the state of the art in cryptology and secure systems engineering, government-access 
key recovery is not compatible with large scale, economical, secure cryptographic systems. 
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A variety of "key recovery," "key escrow," and "trusted 
third-party" encryption requirements have been 
suggested in recent years by government agencies 
seeking to conduct covert surveillance within the 
changing environments brought about by new 
technologies. This report examines the fundamental 
properties of these requirements and attempts to 
outline the technical risks, costs, and implications 
of deploying systems that provide government access 
to encryption keys. 

The deployment of key- recovery- based encryption 
infrastructures to meet law enforcement's stated 
specifications will result in substantial sacrifices in 



security and greatly increased costs to the end-user. 
Building the secure computer-communication 
infrastructures necessary to provide adequate 
technological underpinnings demanded by these 
requirements would be enormously complex and is 
far beyond the experience and current competency 
of the field. Even if such infrastructures could be built, 
the risks and costs of such an operating environment 
may ultimately prove unacceptable. In addition, these 
infrastructures would generally require extraordinary 
levels of human trustworthiness. 

These difficulties are a function of the basic government 
access requirements proposed for key-recovery 



encryption systems. They exist regardless of the design 
of the recovery systems - whether the systems use 
private-key cryptography or public-key cryptography; 
whether the databases are split with secret-sharing 
techniques or maintained in a single hardened secure 
facility; whether the recovery services provide private 
keys, session keys, or merely decrypt specific data as 
needed; and whether there is a single centralized 
infrastructure, many decentralized infrastructures, 
or a collection of different approaches. 

All key-recovery systems require the existence of a 
highly sensitive and highly-available secret key or 
collection of keys that must be maintained in a secure 
manner over an extended time period. These systems 
must make decryption information quickly accessible 



to law enforcement agencies without notice to the key 
owners. These basic requirements make the problem 
of general key recovery difficult and expensive - and 
potentially too insecure and too costly for many 
applications and many users. 

Attempts to force the widespread adoption of 
key-recovery encryption through export controls, 
import or domestic use regulations, or international 
standards should be considered in light of these 
factors. The public must carefully consider the costs 
and benefits of embracing government-access key 
recovery before imposing the new security risks and 
spending the huge investment required ( potentially 
many billions of dollars, in direct and indirect costs) 
to deploy a global key recovery infrastructure. 



Group Charter 




This report stems from a collaborative effort to study 
the technical implications of controversial proposals 
by the United States and other national governments to 
deploy large-scale "key recovery" systems that provide 
third-party access to decryption keys [13], Insofar as 
is possible, we have considered the impact of these 
policies without regard to individual encryption 
schemes or particular government proposals. Rather, 
we have attempted to look broadly at the essential 
elements of key recovery needed to fulfill the expressed 
requirements of governments ( as distinct from the 
features that encryption users might desire) . 



This report considers the general impact of meeting 
the government's requirements rather than the merits 
of any particular key recovery system or proposal that 
meets them. Our analysis is independent of whether 
the key-recovery infrastructure is centralized or 
widely distributed. 

We have specifically chosen not to endorse, condemn, 
or draw conclusions about any particular regulatory 
or legislative proposal or commercial product. Rather, 
it is our hope that our findings will shed further light on 
the debate over key recovery and provide a long-needed 



■ [13] This report grew out of a group meeting at Sun Microsystems in Menlo Park, CA in late January 
| 1997, including many of the authors and also attended by Ken Bass, Alan Davidson, Michael 

! Froomkin, Shabbir Safdar, David Sobel and Daniel Weitzner. The authors thank these other 

! participants for their contributions, as well as the Center for Democracy and Technology for 

coordinating this effort and assisting in the production of this final report. 
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baseline analysis of the costs of key recovery as 
policymakers consider embracing one of the most 
ambitious and far-reaching technical deployments 
of the information age. 

Although there are many aspects to the debate on the 
proper role of encryption and key recovery in a free 
society we have chosen to focus entirely on the technical 
issues associated with this problem rather than on 
more general political or social questions. Indeed, 
many have suggested that the very notion of a pervasive 




1.1 Encryption and the Global 
Information Infrastructure 

The Global Information Infrastructure promises to 
revolutionize electronic commerce, reinvigorate 
government, and provide new and open access to 
the information society. Yet this promise cannot be 
achieved without information security and privacy. 
Without a secure and trusted infrastructure, companies 
and individuals will become increasingly reluctant 
to move their private business or personal 
information online. 

The need for information security is widespread 
and touches all of us, whether users of information 
technology or not. Sensitive information of all kinds 
is increasingly finding its way into electronic form. 
Examples include: 

• Private personal and business communications, 
including telephone conversations, FAX messages, 
and electronic mail; 

• Electronic funds transfers and other financial 
transactions; 



government key recovery infrastructure runs counter 
to the basic principles of freedom and privacy in a 
democracy and that that alone is reason enough to 
avoid deploying such systems. This reasoning is 
independent of whether the key-recovery infrastructure 
is centralized or widely distributed. The technical 
nature of our analysis should not be interpreted as an 
endorsement of the social merits of government key 
recovery; in fact, we encourage vigorous public debate 
on this question. 

j 



1. Background 



• Sensitive business information and trade secrets; 

• Data used in the operation of critical infrastructure 
systems such as air traffic control, the telephone 
network, or the power grid; and 

• Health records, personnel files, and other 
personal information. 

Electronically managed information touches almost 
every aspect of daily life in modern society. This 
rising tide of important yet unsecured electronic data 
leaves our society increasingly vulnerable to curious 
neighbors, industrial spies, rogue nations, organized 
crime, and terrorist organizations. 

Paradoxically, although the technology for managing and 
communicating electronic information is improving 
at a remarkable rate, this progress generally comes 
at the expense of intrinsic security. In general, as 
information technology improves and becomes faster, 
cheaper, and easier to use, it becomes less possible 
to control (or even identify) where sensitive data 
flows, where documents originated, or who is at the 
other end of the telephone. The basic communication 



infrastructure of our society is becoming less secure, 
even as we use it for increasingly vital purposes. 
Cryptographic techniques more and more frequently 
will become the only viable approach to assuring 
the privacy and safety of sensitive information as 
these trends continue. 

Encryption is an essential tool in providing security in 
the information age. Encryption is based on the use of 
mathematical procedures to scramble data so that it 
is extremely difficult - if not virtually impossible - 
for anyone other than authorized recipients to recover 
the original "plaintext." Properly implemented 
encryption allows sensitive information to be stored 
on insecure computers or transmitted across insecure 
networks. Only parties with the correct decryption 
"key" (or keys) are able to recover the plaintext 
information. 

Highly secure encryption can be deployed relatively 
cheaply, and it is widely believed that encryption will 
be broadly adopted and embedded in most electronic 
communications products and applications for 
handling potentially valuable data. [14] Applications 
of cryptography include protecting files from theft 
or unauthorized access, securing communications 
from interception, and enabling secure business 
transactions. Other cryptographic techniques can be 
used to guarantee that the contents of a file or 
message have not been altered ( integrity) , to establish 
the identity of a party ( authentication) , or to make 
legal commitments (non-repudiation). 

In making information secure from unwanted 
eavesdropping, interception, and theft, strong 
encryption has an ancillary effect: it becomes more 



difficult for law enforcement to conduct certain kinds 
of surreptitious electronic surveillance ( particularly 
wiretapping) against suspected criminals without the 
knowledge and assistance of the target. This difficulty 
is at the core of the debate over key recovery. 

1.2 "Key Recovery": 
Requirements and Proposals 

The United States and other national governments have 
sought to prevent widespread use of cryptography 
unless "key recovery" mechanisms guaranteeing 
law enforcement access to plaintext are built into 
these systems. The requirements imposed by such 
government-driven key recovery systems are different 
from the features sought by encryption users, and 
ultimately impose substantial new risks and costs. 

Key recovery encryption systems provide some form 
of access to plaintext outside of the normal channel of 
encryption and decryption. Key recovery is sometimes 
also called "key escrow." The term "escrow" became 
popular in connection with the U.S. government's 
Clipper Chip initiative, in which a master key to each 
encryption device was held "in escrow" for release to 
law enforcement. Today the term "key recovery" is 
used as generic term for these systems, encompassing 
the various "key escrow," "trusted third-party," 
"exceptional access," "data recovery," and "key recovery" 
encryption systems introduced in recent years. 
Although there are differences between these systems, 
the distinctions are not critical for our purposes. In 
this report, the general term "key recovery" is used in 
a broad sense, to refer to any system for assuring 
third-party (government) access to encrypted data. 



rC 14] The National Research Council's comprehensive 1996 report on cryptography includes a detailed 
examination of the rising importance of encryption. National Research Council, Cryptography's 




Key recovery encryption systems work in a variety of 
ways. Early "key escrow" proposals relied on the 
storage of private keys by the U.S. government, and 
more recently by designated private entities. Other 
systems have "escrow agents" or "key recovery 
agents" that maintain the ability to recover the keys 
for a particular encrypted communication session or 
stored file; these systems require that such "session 
keys" be encrypted with a key known by a recovery 
agent and included with the data. Some systems split 
the ability to recover keys among several agents. 

Many interested parties have sought to draw sharp 
distinctions among the various key recovery proposals. 
It is certainly true that several new key recovery 
systems have emerged that can be distinguished from 
the original "Clipper" proposal by their methods of 
storing and recovering keys. However, our discussion 
takes a higher-level view of the basic requirements of 
the problem rather than the details of any particular 
scheme; it does not require a distinction between 
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Key recovery systems have gained currency due to the 
desire of government intelligence and law enforcement 
agencies to guarantee that they have access to 
encrypted information without the knowledge or 
consent of encryption users. A properly designed 
cryptosystem makes it essentially impossible to 
recover encrypted data without knowledge of the 
correct key. In some cases this creates a potential 
problem for the users of encryption themselves; the 
cost of keeping unauthorized parties out is that if 



"key escrow," "trusted third-party," and "key recovery." 
All these systems share the essential elements that 
concern us for the purposes of this study: 

• A mechanism, external to the primary means 
of encryption and decryption, by which a third 
party can obtain covert access to the plaintext 
of encrypted data. 

• The existence of a highly sensitive secret key 
(or collection of keys) that must be secured for 
an extended period of time. 

Taken together, these elements encompass a system 
of "ubiquitous key recovery" designed to meet law 
enforcement specifications. While some specific details 
may change, the basic requirements most likely will 
not: they are the essential requirements for any system 
that meets the stated objective of guaranteeing law 
enforcement agencies timely access, without user notice, 
to the plaintext of encrypted communications traffic. 




keys are lost or unavailable at the time they are 
needed, the owners of the encrypted data will be 
unable to make use of their own information. It has 
been suggested, therefore, that industry needs and 
wants key recovery, and that the kind of key recovery 
infrastructure promoted by the government would 
serve the commercial world's needs for assuring 
availability of its own encrypted data. Several recent 
government proposals (along with commercial products 
and services designed to meet the government's 



2. KEY RECOVERABILITY: 

Government vs. End-User Requirements 



requirements) have been promoted as serving the 
dual role of assuring government access as well 
as "owner" access to encrypted data. However, the 
requirements of a government and the requirements 
of the commercial world and individual users are 
very different in this regard, so different that, in fact, 
there is little overlap between systems that address 
these two problems. 

The ultimate goal of government-driven key recovery 
encryption, as stated in the U.S. Department of 
Commerce's recent encryption regulations, "envisions 
a worldwide key management infrastructure with the 
use of key escrow and key recovery encryption 
items." [15] The requirements put forward to meet 
law enforcement demands for such global key 
recovery systems include: 

• Third-party/government access without notice to 
or consent of the user. Even so-called "self- 
escrow" systems, where companies might hold 
their own keys, are required to provide sufficient 
insulation between the recovery agents and the key 
owners to avoid revealing when decryption infor- 
mation has been released. 

• Ubiquitous international adoption of key recovery. 
Key recovery helps law enforcement only if it is so 
widespread that it is used for the bulk of encrypted 
stored information and communications, whether 
or not there is end-user demand for a recovery 
feature. 

• High-availability, around-the-clock access to plain- 
text under a variety of operational conditions. 
Law enforcement seeks the ability to obtain 



decryption keys quickly- within two hours under 
current U.S. and other proposed regulations.[i6] 
Few commercial encryption users need the ability 
to recover lost keys around the clock, or on such 
short notice. 

• Access to encrypted communications traffic as well 
as to encrypted stored data. To the extent that 
there is commercial demand for key recovery, it is 
limited to stored data rather than communications 
traffic. 

I n fact, the requirements of government key recovery 
are almost completely incompatible with those of 
commercial encryption users. The differences are 
especially acute in four areas: the kinds of data for 
which recovery is required, the kinds of keys for 
which recovery is required, the manner in which 
recoverable keys are managed, and the relationship 
between key certification and key recovery. 
Government key recovery does not serve private 
and business users especially well; similarly, the key 
management and key recoverability systems naturally 
arising in the commercial world do not adapt well 
to serve a government. 

2.1 Communication 
Traffic vs. Stored Data 

While key "recoverability" is a potentially important 
added-value feature in certain stored data systems, in 
other applications of cryptography there is little or no 
user demand for this feature. In particular, there is 
hardly ever a reason for an encryption user to want 
to recover the key used to protect a communication 



i [15] Dept. of Commerce, "Interim Rule on Encryption Items," Federal Register, Vol. 61, p. 68572 
! (Dec. 30, 1996) 

! [16] For example, the recent British "Trusted Third-Party" system proposes similar law enforcement 
i demands, requiring one hour turnaround time for TTP recovery agents. See U.K. Department of 

Trade and Industry, "LICENSING OF TRUSTED THIRD-PARTIES FOR THE PROVISION OF ENCRYPTION 

SERVICES," (March 1997) (Public Consultation Paper). 




session such as a telephone call, FAX transmission, 
or Internet link. If such a key is lost, corrupted, or 
otherwise becomes unavailable, the problem can 
be detected immediately and a new key negotiated. 
There is also no reason to trust another party with 
such a key. Key recoverability, to the extent it has a 
private-sector application at all, is useful only for the 
keys used to protect irreproducible stored data. 
There is basically no business model for other uses, 
as discussed below. 

In stored data applications, key recovery is only one 
of a number of options for assuring the continued 
availability of business-critical information. These 
options include sharing the knowledge of keys among 
several individuals (possibly using secret-sharing 
techniques) , obtaining keys from a local key registry 
that maintains backup copies, careful backup 
management of the plaintext of stored encrypted data, 
or, of course, some kind of key recovery mechanism. 
The best option among these choices depends on the 
particular application and user. 

Encrypted electronic mail is an interesting special case, 
in that it has the characteristics of both communication 
and storage. Whether key recovery is useful to the user 
of a secure E-mail system depends on design of the 
particular system. 

The government, on the other hand, proposes a key 
recovery infrastructure that applies to virtually all 
cryptographic keys, including (especially) those 
used to protect communications sessions. 



2.2 Authentication vs. 
Confidentiality Keys 

Although cryptography has traditionally been associated 
with confidentiality, other cryptographic mechanisms, 
such as authentication codes and digital signatures, 
can ensure that messages have not been tampered 
with or forged. Some systems provide properties 
analogous to those of handwritten signatures, 
including "non-repudiation" - the recipient can 
prove to a third party that a message was signed by 
a particular individual. 

M uch of the promise of electronic commerce depends 
on the ability to use cryptographic techniques to make 
binding commitments. Yet some key recovery schemes 
are designed to archive authentication and signature 
keys along with confidentiality keys. Such schemes 
destroy the absolute non-repudiation property that 
makes binding commitments possible. Furthermore, 
there are simply no legitimate uses for authentication 
or signature key recovery. The private sector requires 
distinct keys for all signers, even when two or more 
individuals are authorized to send a given message; 
without that, the ability to audit transactions is 
destroyed. Government surveillance does not 
require the recovery of signature keys, either. 

However, it is difficult to exclude authentication and 
signature keys from a key recovery infrastructure of 
the kind proposed by the government, because some 
keys are used for both signature and encryption. [17] 
Nor is it sufficient to exclude from the recovery system 
keys used only to protect financial transactions, since 
many electronic commerce schemes use keys that 



[17] In fact, it is technically straightforward for two parties to use their authentication 
keys to negotiate encryption keys for secure communication. Any system that distributes 
trusted authentication keys would ipso facto serve as an infrastructure for private 
communication that is beyond the reach of government surveillance. 
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are general in scope. The same key might be used, 
for example, to encrypt personal electronic mail as 
well as to electronically sign contracts or authorize 
funds transfers. 

It has been claimed that non-availability of a signature 
key can be a serious problem for the owner, who will 
then no longer be able to sign messages. But common 
practice allows for the revocation of lost keys, and 
the issuance of new keys with the same rights and 
privileges as the old ones. Recovering lost signature 
and authentication keys is simply never required. 

2.3 Infrastructure: Local vs. 
Third-Party Control 

For a key recovery scheme to be of value to the 
encryption user, it must allow tight control over 
depositing, recovering, and maintaining keys, tied 
to the user's own practices and requirements. 
Generally, only a small number of individuals will 
need the ability to recover any individual key, often 
working in the same location and personally known 
to one another. When a key does need to be recovered, 
it will frequently be a local matter, similar to the 
replacement of a misplaced office key or restoring a 
computer file with a backup copy. The hours at which 
the key recovery might take place, the identification 
of the individuals authorized for a particular key, the 
policy for when keys should be recovered, and other 
basic operational procedures will vary widely from 
user to user, even within a single business. Particularly 
important is the control over when and how "recoverable" 
keys are destroyed when they are no longer needed, 
especially for keys associated with sensitive personal 
and business records. 



Similarly, there is usually no business need for secrecy 
in the recovery of keys or for the ability to obtain 
keys without the initial cooperation of the user, 
key recovery is used in a business environment, 
it would generally be one component of the overall 
data management policy of that business. Users 
would normally be trusted to participate in assuring 
recoverability of their own keys, assisted by local 
management practices and supervision. When a key 
must be recovered, it will usually be because the 
users themselves realize that they do not have a copy 
of the correct key or because the keyholder is no 
longer available. Even the frequently-cited hypothetical 
example of the disgruntled employee who refuses 
to decrypt important files is probably most reliably 
and economically dealt with through business data 
management practices (such as management supervision 
and backup of business-critical plaintext) that do 
not require any centralized, standard key recovery 
mechanism. Even in this (rather unusual) case, 
there is no need to hide from the user the fact that 
a key has been recovered. 

The U.S. government, on the other hand, proposes 
key recovery schemes that by their nature do not 
allow local control. The government's requirement for 
the ability to covertly recover keys on short notice 
and without notice to the key owner must almost 
by definition be implemented by a third party whose 
procedures are entirely divorced from those of the users. 
Even when the government permits an organization to 
manage its own keys, the key recovery agent will have 
to be fairly centralized and remote from the actual 
users. This requirement eliminates the first line of 
defense against misuse of key recovery: the vigilance 
of the most concerned party - the key owner. 



116 



2.4 Infrastructure: 
Key Certification and 
Distribution vs. Key Recovery 

As electronic commerce and encryption use becomes 
more widespread, some form of "Certification 
Authorities" (CAs) will be needed in some applications 
to help identify encryption users. A CA is a trusted 
party that vouches for the identity ( or some other 
attribute) of an encryption user. It is widely believed 
that development and use of certification authorities 
will be essential for secure and trusted electronic 
exchanges - and, consequently, will become a 
prerequisite to participation in electronic commerce 
and online communications. [18] 

Although superficially similar, in that they are both 
concerned with key management, the nature of key 
recovery is completely different from that of key 
certification. The most important function of a 
certification authority is to certify the public keys used 
in digital signatures; key recovery, on the other hand, 
is concerned with keys used for confidentiality. More 
importantly, the operation of a certification authority 
does not require handling sensitive user data; a CA 
generally handles only users' public keys and never 
learns the associated secret keys. If a CAs secret key 
is compromised or revealed, the only direct damage 
is that the certificates from it can be forged. On the 
other hand, if a key recovery agent's secrets are 
compromised, the damage can be far greater and 



more direct: every user of that recovery agent might 
have its own secrets compromised. 

Certification can (and currently does) exist without 
any form of key recovery. Conversely, a key recovery 
infrastructure can exist completely independently of 
any key certification infrastructure. 

Several recent government proposals have attempted 
to associate key recovery with key certification. 
This proposed linkage between CAs and key recovery 
makes no sense technically. On the contrary, such 
linkages have serious liabilities. It is not even clear 
whether such a system would work. To the extent it 
might require depositing keys used for signature and 
identification, such systems create additional security 
risks; there is no justification (even given government 
law enforcement requirements) for third-party access 
to signature keys that, if compromised, could be 
used to impersonate people, or to forge their digital 
signatures. In fact, attempts at achieving key recovery 
through a certification infrastructure would likely be 
ineffective at meeting the goals of law enforcement. 
Many (indeed, most) encryption keys are not certified 
directly, and therefore would be beyond the reach of 
a certification-based recovery system. 



[18] There is a great deal of debate about the appropriate role of government in regulating 
CAs. CAs may ultimately be large, centralized, or even government-certified entities, or 
smaller, locally-trusted entities. At this early stage in their deployment, no consensus 
has emerged on what government role is appropriate. For an excellent overview of the 




debate over CA regulation, see Michael Froomkin, "The Essential Role of Trusted 
Thi rd- Parti es in Electronic Commerce," 75 Oregon L. Rev. 49 (1996). 



3. RISKS AND COSTS 




OF KEY RECOVERY 





Key recovery systems are inherently less secure, more 
costly, and more difficult to use than similar systems 
without a recovery feature. Key recovery degrades 
many of the protections available from encryption, 
such as absolute control by the user over the means 
to decrypt data. Furthermore, a global key recovery 
infrastructure can be expected to be extraordinarily 
complex and costly. 

The impact of key recovery can be considered 
in at least three dimensions: 

Risk - The failure of key recovery mechanisms 
can jeopardize the proper operation, underlying 
confidentiality, and ultimate security of encryption 
systems; threats include improper disclosures of 
keys, theft of valuable key information, or failure 
to be able to meet law enforcement demands. 

Complexity- Although it may be possible to make 
key recovery reasonably transparent to the end 
users of encryption, a fully functional key recovery 
infrastructure is an extraordinarily complex system, 
with numerous new entities, keys, operational 
requirements, and interactions. In many cases, the 
key recovery aspects of a system are far more complex 
and difficult to implement than the basic encryption 
functions themselves. 

Economic Cost - No one has yet described, much 
less demonstrated, a viable economic model to account 
for the true costs of key recovery. However, it is still 
possible to make sound qualitative judgments about 
the basic system elements, shared by all key recovery 
schemes, that will have the most dramatic impact on 



the cost of designing, implementing, deploying, and 
operating such systems. 

3.1 NEW VULNERABILITIES 
& RISKS 

Any key recovery infrastructure, by its very nature, 
introduces a new and vulnerable path to the unauthorized 
recovery of data where one did not otherwise exist. 
This introduces at least two harmful effects: 

• It removes the inherent guarantees of security 
available through non-recoverable systems, which 
do not have an alternate path to sensitive plaintext 
that is beyond the users' control. 

• It creates new concentrations of decryption infor- 
mation that are high-value targets for criminals or 
other attackers. 

These risks arise with cryptography used in 
communication and storage, but perhaps even more 
intensely with cryptography used in authentication. 
(They are compounded even further if any keys 
are used for more than one of these purposes.) 

3.1.1 New Paths to Plaintext 

Regardless of the implementation, if key recovery 
systems must provide timely law enforcement access 
to a whole key or to plaintext, they present a new 
and fast path to the recovery of data that never 
existed before. 
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The key recovery access path is completely out of the 
control of the user. In fact, this path to exceptional 
access is specifically designed to be concealed from 
the encryption user, removing one of the fundamental 
safeguards against the mistaken or fraudulent release 
of keys. 

In contrast, non-recoverable systems can usually 
be designed securely without any alternative paths. 
Alternative paths to access are neither required for 
ordinary operation nor desirable in many applications 
for many users. 

3.1.2 Insider Abuse 

Like any other security system with a human element, 
key recovery systems are particularly vulnerable to 
compromise by authorized individuals who abuse or 
misuse their positions. Users of a key recovery system 
must trust that the individuals designing, implementing, 
and running the key recovery operation are indeed 
trustworthy. An individual, or set of individuals, 
motivated by ideology, greed, or the threat of 
blackmail, may abuse the authority given to them. 
Abuse may compromise the secrets of individuals, 
particular corporations, or even of entire nations. 
There have been many examples in recent times of 
individuals in sensitive positions violating the trust 
placed in them. There is no reason to believe that key 
recovery systems can be managed with a higher 
degree of success. 

The risk of "insider abuse" becomes even more evident 
when attempts are made to design key recovery 
schemes that are international in scope. Such abuse 
can even become institutionalized within a rogue 



company or government. National law-enforcement 
agencies, for example, might abuse their key recovery 
authority to the advantage of their own country's 
corporations. 

3.1.3 New Targets for Attack 

The nature of key recovery creates new high-value 
targets for attack of encryption systems. Key recovery 
agents will maintain databases that hold, in centralized 
collections, the keys to the information and communi- 
cations their customers most value. In many key 
recovery systems, the theft of a single private key 
( or small set of keys) held by a recovery agent could 
unlock much or all of the data of a company or 
individual. Theft of a recovery agent's own private 
keys might provide access to an even broader array 
of communications, or might make it possible to 
easily spoof header information designed to ensure 
compliance with encryption export controls. The key 
recovery infrastructure will tend to create extremely 
valuable targets, more likely to be worth the cost and 
risk of attack. 

The identity of these new rich targets will be highlighted 
by the key recovery systems themselves. Every 
encrypted communication or stored file will be 
required to include information about the location of 
its key retrieval information. This "pointer" is a road 
map showing law enforcement how to recover the 
plaintext, but it may also show unauthorized attackers 
where to focus their efforts. Moreover, even those 
systems ( such as split key systems) that can decrease 
these risks, do so with a marked increase in cost. 
For example, splitting a key in half at least doubles 



the recovery agent costs. [19] Such systems require 
multiple agents, costly additional coordination 
mechanisms, and faster response times necessary 
to assemble split keys and still provide fast access 
to plaintext. Regardless of how many times a key is 
split, law enforcement's demand for timely access 
will still require the development of fast systems for 
the recovery of key parts. Both the systems for key 
part assembly, and the ultimate whole key assembled 
for law enforcement, will present new points of 
vulnerability. 

3.1.4 Forward Secrecy 

Key recovery is especially problematic in communications 
systems, such as encrypted cellular telephone calls, 
because it destroys the property of forward secrecy. A 
system with forward secrecy is one in which compro- 
mising the keys for decrypting one communication 
does not reduce the security of other communications. 
For example, in an encrypted telephone call, the keys 
for encrypting a call can be established as the call is 
set up. If these keys are destroyed when the call is 
over, the participants can be assured that no one can 
later decrypt that conversation - even if the keys to 
some subsequent conversation are compromised. 
The result is that once the call is over, the information 
required to decrypt it ceases to exist; not even the 
parties to the call store the keys. Typically, keys are 
created and destroyed on a per-call basis, or even 
many times per call. This makes it possible to limit 
the costs and risks of secure processing and storage 
to the period of the call itself. 

Forward secrecy is desirable and important for two 



reasons. First, it simplifies the design and analysis 
of secure systems, making it much easier to ensure 
that a design or implementation is in fact secure. 
Secondly, and more importantly, forward secrecy 
greatly increases the security and decreases the 
cost of a system, since keys need to be maintained 
and protected only while communication is actually 
in progress. 

Key recovery destroys the forward secrecy property 
since the ability to recover traffic continues to exist 
long after the original communication has occurred. 
It requires that the relevant keys be stored instead of 
destroyed, so that later government requests for the 
plaintext can succeed. If the keys are stored, they can 
be compromised; if they are destroyed, the threat of 
compromise ceases at that moment. 

3.2 NEW COMPLEXITIES 

Experience has shown that secure cryptographic 
systems are deceptively hard to design and build 
properly. The design and implementation of even 
the simplest encryption algorithms, protocols, and 
implementations is a complex and delicate process. 
Very small changes frequently introduce fatal security 
flaws. Non-key recovery systems have rather simple 
requirements and yet exploitable flaws are still often 
discovered in fielded systems. 

Our experiences designing, analyzing and implementing 
encryption systems convince us that adding key recovery 
makes it much more difficult to assure that such systems 
work as intended. It is possible, even likely, that 
lurking in any key recovery system are one or more 
design, implementation, or operational weaknesses 



| [19] Storage of a smaller key part is not necessarily cheaper than storage of the whole key, and the 
i preferred key-splitting methods generally produce key parts each of which is as large as the 



that allow recovery of data by unauthorized parties. 
The commercial and academic world simply does 
not have the tools to properly analyze or design the 
complex systems that arise from key recovery. 

This is not an abstract concern. Most of the key 
recovery or key escrow proposals made to date, 
including those designed by the National Security 
Agency, have had weaknesses discovered after their 
initial implementation. For example, since the system's 
introduction in 1993, several failures have been 
discovered in the U.S. Escrowed Encryption Standard, 
the system on which the "Clipper Chip" is based. 
These problems are not a result of incompetence 
on the part of the system's designers. Indeed, the 
U.S. National Security Agency may be the most 
advanced cryptographic enterprise in the world, 
and it is entrusted with developing the cryptographic 
systems that safeguard the government's most 
important military and state secrets. The reason 
the Escrowed Encryption Standard had flaws is 
that good security is an extremely difficult technical 
problem to start with, and key recovery adds 
enormous complications with requirements 
unlike anything previously encountered. 

3.2.1 Scale 

Key recovery as envisioned by law enforcement will 
require the deployment of secure infrastructures 
involving thousands of companies, recovery agents, 
regulatory bodies, and law enforcement agencies 
worldwide interacting and cooperating on an 
unprecedented scale. 

Once widely available, encryption will likely be used 
for the bulk of network communications and storage 



of sensitive files. By the year 2000 - still early in 
the adoption of information technologies - fielding 
the ubiquitous key recovery system envisioned by 
law enforcement could encompass: 

• Thousands of products. There are over 800 
encryption products worldwide today, and this 
number is likely to grow dramatically. 

* Thousands of agents all over the world. 

Proposed systems contemplate many key recovery 
agents within this country alone; other countries 
will want agents located within their borders. 
Large companies will want to serve as their own 
key recovery agents. Each of these agents will 
need to obtain U.S. certification and possibly 
certification by other countries as well. 

* Tens of thousands of law enforcement 
agencies. There are over 17,000 local, state, 
and federal law enforcement agencies in the United 
States alone that might seek key information for 
authorized wiretaps or seized data. [20] National 
and local agencies around the world will also want 
access to keys. 

• Millions of users. Several million Web users 
today use encrypted communications whenever 
their Web browser encounters a secure page 

( such as many of those used for credit card 
transactions) . There will be an estimated 100 
million I nternet users by the year 2000, most 
of whom will be likely to regularly encrypt 
communications as part of the next version of 
the standard Internet protocols. Millions of 
other corporate and home computer users will 
also regularly encrypt stored information or 
intra-network communications. 



[20] U.S. Department of Justice, Bureau of Justice Statistics, Sourcebook of Criminal Justice 
Statistics 1995 (1996), p. 39. 
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• Tens of millions (or more) of public-private 
key pairs. Most users will have several public key 
pairs for various purposes. Some applications create 
key pairs "on-the-fly" every time they are used. 

* Hundreds of billions of recoverable session 
keys. Every encrypted telephone call, every stored 
encrypted file, every e-mail message, and every 
secure web session will create a session key to be 
accessed. (Various key recovery scheme may avoid 
the need for the recovery center to process these 
session keys individually, but such "granularity 
shifts" introduce additional risk factors - 

see Section 3.4.1 below.) 

Ultimately, these numbers will grow further as 
improved information age technologies push 
more people and more data online. 

The overall infrastructure needed to deploy and 
manage this system will be vast. Government agencies 
will need to certify products. Other agencies, both within 
the U.S. and in other countries, will need to oversee 
the operation and security of the highly-sensitive 
recovery agents - as well as ensure that law 
enforcement agencies get the timely and confidential 
access they desire. Any breakdown in security among 
these complex interactions will result in compromised 
keys and a greater potential for abuse or incorrect 
disclosures. 

There are reasons to believe secure key recovery 
systems are not readily scalable. Order-of-magnitude 
increases in the numbers of requesting law enforcement 
agencies, product developers, regulatory oversight 



agencies, and encryption end users all make the tasks 
of various actors in the key recovery system not only 
bigger, but much more complex. In addition, there 
are significant added transaction costs involved with 
coordination of international key recovery regimes 
involving many entities. 

The fields of cryptography, operating systems, 
networking, and system administration have no 
substantive experience in deploying and operating 
secure systems of this scope and complexity. We 
simply do not know how to build a collective secure 
key-management infrastructure of this magnitude, 
let alone operate one, whether the key-recovery 
infrastructure is centralized or widely distributed. 

3.2.2 Operational Complexity 

The scale on which a government-access key recovery 
infrastructure must operate exacerbates many of 
the security problems with key recovery. The stated 
requirements of law enforcement demand the 
construction of highly complex key recovery systems. 
Demands on the speed and process for recovering 
keys will greatly increase the complexity of tasks 
facing those trusted with key recovery information. 
Demands for ubiquitous worldwide adoption of key 
recovery will greatly increase the complexity and 
number of entities involved. Each of these will in turn 
have a significant impact on both the security and 
cost of the key recovery system. 
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Consider the tasks that a typical key 
recovery center will perform to meet one 
law enforcement request for a session key 
for one communication or stored file: 

• Reliably identify and authenticate requesting law 
enforcement agents (there are over 17,000 U.S. 
domestic law enforcement organizations) . 

• Reliably authenticate court order or other 
documentation. 

• Reliably authenticate target user and data. 

• Check authorized validity time period. 

• Recover session key, plaintext data, 
or other decryption information. 

• Put recovered data in required format. 

• Securely transfer recovered data, 
but only to authorized parties. 

• Reliably maintain an audittrail. 

Each of these tasks must be performed securely in a 
very short period of time in order to meet government 
requirements. For example, the most recent U.S. 
Commerce Department regulations governing recovery 
agents require two hour turnaround of government 
requests, around the clock. The tasks must be 
performed by agents all over the world serving millions 
of clients and responding to requests from both those 
clients and numerous law enforcement agencies. 

There are few, if any, secure systems that operate 
effectively and economically on such a scale and 
under such tightly-constrained conditions - even if 
these requirements are relaxed considerably (e.g., 



one day response time instead of two hours) . The 
urgent rush imposed by very short retrieval times, and 
the complexity of the tasks involved, are an anathema 
to the careful scrutiny that should be included in such 
a system. If there is uncertainty at any step of the 
access process, there may be insufficient time to verify 
the authenticity or accuracy of a retrieval request. 

It is inevitable that a global key recovery infrastructure 
will be more vulnerable to fraudulent key requests, will 
make mistakes in giving out the wrong key, and will 
otherwise compromise security from time to time. While 
proper staffing, technical controls, and sound design 
can mitigate these risks to some extent ( and at consid- 
erable cost) , the operational vulnerabilities associated 
with key recovery cannot be eliminated entirely. 

3.2.3 Authorization for Key 
Recovery 

One of the requirements for a key recovery operation 
is that it must authenticate the individual requesting 
an archived key. Doing so reliably is very difficult. 

"Human" forms of identification - passports, 
birth certificates, and the like - are often easily 
counterfeited. Indeed, news reports describe "identity 
theft" as a serious and growing problem. Electronic 
identification must be cryptographic, in which case a 
key recovery system could be used to attack itself. 
That is, someone who steals - or recovers - a 
signature key for a law enforcement officer or a 
corporate officer could use this key to forge legitimate 
requests for many other keys. For that matter, if a 
sensitive confidentiality key were stolen or obtained 
from the repository, it might be possible to use it to 
eavesdrop on other key recovery conversations. 



In contrast, a business's local, day-to-day key recovery 
process could rely on personal identification. A 
system administrator or supervisor would know who 
had rights to which keys. Even more questionable 
requests, such as those over the phone, could be 
handled appropriately; the supervisor could weigh 
such factors as the sensitivity of the information 
requested, the urgency of the request as known a 
priori, and even the use of informal authentication 
techniques, such as references to shared experiences. 
But none of these methods scale well to serve requests 
from outside the local environment, leaving them 
unsuitable for use by larger operations or when 
requests come from persons or organizations not 
personally known to the keyholders. 

3.3 NEW COSTS 

Key recovery, especially on the scale required for 
government access, will be very expensive. New 
costs are introduced across a wide range of entities 
and throughout the lifetime of every system that uses 
recoverable keys. 

The requirements set out by law enforcement impose 
new system costs for designing, deploying, and 
operating the ubiquitous key recovery system. 

These costs include: 

• Operational costs for key recovery agents - 

the cost of maintaining and controlling sensitive, 
valuable key information securely over long 
periods of time; of responding to both law 
enforcement requests and legitimate commercial 
requests for data; and of communicating with 
users and vendors. 



• Product design and engineering costs - 

new expenses entailed in the design of secure 
products that conform to the stringent key 
recovery requirements. 

• Government oversight costs- substantial 
new budgetary requirements for government, law 
enforcement, or private certification bodies, to 
test and approve key recovery products, certify 
and audit approved recovery agents, and support 
law enforcement requests for and use of recovered 
key information. 

• User costs - including both the expense of 
choosing, using, and managing key recovery 
systems and the losses from lessened security 
and mistaken or fraudulent disclosures of 
sensitive data. 

3.3.1 Operational Costs 

The most immediately evident problem with key 
recovery may be the expense of securely operating 
the infrastructure required to support it. In general, 
cryptography is an intrinsically inexpensive technology; 
there is little need for externally-operated "infrastructure" 
(outside of key certification in some applications) 
to establish communication or store data securely. 
Key recovery, on the other hand, requires a complex 
and poorly understood - and hence expensive and 
insecure- infrastructure. 

The operational complexity described in the previous 
section introduces substantial ongoing costs at each 
key recovery center. These costs are likely to be very 
high, especially compared with the ordinary operational 
expenses that might be expected in commercial key 
recovery systems. Government key recovery requires, 
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for example, intensive staffing (7x24 hours), highly 
trained and highly trusted personnel, and high-assurance 
hardware and software systems in order to meet the 
government's requirements in a secure manner. 
Theses costs are borne by all encryption applications, 
even those where key recovery is not beneficial to 
the user or even to law enforcement. 

It remains unclear whether the high-risk, high-liability 
business of operating a key recovery center, with 
limited consumer demand to date, will even be 
economically viable. 

3.3.2 Product Design Costs 

Key recovery also increases the difficulty and expense of 
designing user-level encryption software and hardware. 
These costs vary depending on the particular application 
and the precise nature of the recovery system, but 
could be substantial in some cases. Integrating key 
recovery, especially in a secure manner, can also 
substantially delay the release of software. Given the 
highly competitive nature and short product life-cycles 
of today's hardware and software markets, such delays 
could discourage vendors from incorporating it at all, 
or worse, encourage sloppy, poorly-validated designs. 
Compatibility with older products presents special 
challenges and further increases these costs. 

3.3.3 End-User Costs 

Without government-driven key recovery, encryption 
systems can easily be fielded in a way that is largely 
transparent to their users. Highly secure commu- 
nication and storage need require nothing further than 
the purchase of a reputable commercial product with 



strong encryption features tested in the marketplace. 
The use of that encryption need require nothing more 
than the setting of an option, the click of an icon, 
or the insertion of a hardware card. We are fully 
confident that, in an unregulated marketplace, many 
applications will ship with such high-quality 
user-transparent encryption built in. This is 
already happening at negligible cost to the user. 

I n contrast, the use of a secure key recovery system 
requires at least some additional user effort, diligence, 
or expense. In addition to the purchase of an encryption 
product, one or more key recovery agent( s) must be 
chosen. The user must enter into an important 
(although possibly implicit) contractual relationship 
with that agent, a relationship that will govern the 
potential disclosure of the most sensitive key 
information - now and for years to come. In many 
cases, there will need to be some communication of 
key information between user and the recovery agent. 
(Although some products will come with a built-in 
key, prudent users may want to change their keys on 
a regular basis. Also, software, especially mass-market 
"shrink-wrapped" software, cannot usually be 
economically distributed with unique keys installed 
in each individual copy). 

The burdens on key recovery users continue long 
after data have been encrypted. Key recovery agents 
will maintain the ability to decrypt information for 
years. During that time, an agent might relax its security 
policies, go bankrupt, or even be bought out by a 
competitor - but will retain, and in fact must 
retain, the ability to decrypt. Diligent and concerned 
encryption users will need to be aware of the fate 
of their key recovery agents for years after their 
initial encryption use. 



These burdens will apply to all users of encryption. 
Each use of encryption may entail the entry into 
a contractual relationship with a third-party key 
recovery agent. Under any rational business model, 
each such instance will entail some additional cost. 

3.4 TRADEOFFS 

Some aspects of key recovery can be easily shifted 
along a spectrum from higher cost to higher risk. 
While it may be possible to field a particular key 
escrow system in a relatively secure way, this often 
results in tremendous costs to the user. While relatively 
simple and inexpensive key escrow systems exist, they 
often jeopardize security. For example, a poorly-run 
key recovery agent, employing less-skilled low-paid 
personnel, with a low level of physical security, and 
without liability insurance could be expected to be 
less expensive to operate than a well-run center. 

Interestingly, security and cost can also be traded off 
with respect to the design itself. That is, the simplest 
designs, those that are easiest to understand and 
easiest to verify, also tend to require the most stringent 
assumptions about their environment and operation 
or have the worst failure characteristics. For example, 
imagine a design in which session keys are sent to the 
recovery center by encrypting them with the center's 
globally-known public key. Such a system might be 
relatively simple to design and implement, and one 
might even be able to prove that it is secure when 
operated correctly and under certain assumptions. 
However, this is among the worst possible designs 
from a robustness point of view: it has a single point 
of failure (the key of the recovery agent) with which 
all keys are encrypted. If this key is compromised 
(or a corrupt version distributed), all the recoverable 
keys in the system could be compromised. (We note 
that several commercial systems are based on almost 
exactly this design.) 



3.4.1 Key Recovery 
Granularity and Scope 

One of the most important factors influencing the 
cost and security of key recovery is the granularity and 
scope of the keys managed by the key recovery system. 
In particular, it is important to understand two issues: 

• Granularity: the kinds of keys ( user, device, 
session, etc.) that are recoverable. 

• Scope: the consequences of compromising a 
recovery agent's key. 

Granularity is important because it defines how 
narrowly-specified the data to be recovered from 
an agent can be and how often interactions (by the 
user and by law enforcement) with the recovery agent 
must take place. Various systems have been proposed 
in which the recovery agent produces "master" keys 
that can decrypt all traffic to or from individual users 
or hardware devices. In other systems, only the keys for 
particular sessions are recovered. Coarse granularity 
(e.g., the master key of the targeted user) allows only 
limited control over what can be recovered (e.g., all 
data from a particular individual) but requires few 
interactions between law enforcement and the recovery 
center. Finer granularity (e.g., individual session 
keys), on the other hand, allows greater control (e.g., 
the key for a particular file or session, or only sessions 
that occurred within a particular time frame) , but 
requires more frequent interaction with the recovery 
center (and increased design complexity) . 

Also important is the scope of the recovery agent's 
own secret. Most key recovery systems require the user 
software or hardware to send keys to the recovery 
agent by encrypting them with the recovery agent's 
public key. If a recovery agent has only a single such 
key, that key becomes an extraordinarily valuable, 
global, single point of failure. Worse, because the 



recovery agent must use the secret component of 
this key in order to decrypt the keys sent to it ( or at 
least any time a key is recovered) , its exposure to 
compromise or misuse is also increased. To address 
this vulnerability, a recovery agent may have many 



4. CONCLUSIONS 



r 

Key recovery systems are inherently less secure, more 
costly, and more difficult to use than similar systems 
without a recovery feature. The massive deployment 
of key-recovery-based infrastructures to meet law 
enforcement's specifications will require significant 
sacrifices in security and convenience and substantially 
increased costs to all users of encryption. Furthermore, 
building the secure infrastructure of the breathtaking 
scale and complexity that would be required for such 
a scheme is beyond the experience and current 



such keys, perhaps one or more for each user. 
However, negotiating and distributing these keys 
to the users introduces still other complexities 
and vulnerabilities. 




competency of the field, and may well introduce 
ultimately unacceptable risks and costs. 

Attempts to force the widespread adoption of key 
recovery through export controls, import or domestic 
use regulations, or international standards should be 
considered in light of these factors. We urge public 
debate to carefully weigh the costs and benefits of 
government-access key recovery before these systems 
are deployed. 
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